The cryptocurrency giveaway scammers are up to their tricks again on Twitter, and it seems that Twitter simply can’t keep up with them.

Here’s a recent scam that has been spread across the network via a promoted tweet from a hijacked account:

The message, complete with typos, reads as follows before linking to a webpage which purports to be related to Musk’s SpaceX project:

I’m giving 10 000 Bitcoic (BTC) to all community!

I left the post of director of Tesla, thank you all for your suppoot!

I decided to make the biggest crypto-giveaway in the world, for all my readers who use Bitcoin.

What’s happened here is a verified account, film distributor @patheuk, has been compromised with its its avatar changed to to the same one chosen by the real @elonmusk, and its display name changed to resemble that of Elon Musk (in reality the “l” is from an extended character set, presumably in an attempt to avoid being automatically locked by Twitter).

Of course, not everyone follows the likes of Pathé UK on Twitter, and so whoever has hijacked the account uses a Twitter promoted ad to blast the message into the timelines of innocent Twitter users.

And because @patheuk’s verified “tick” is still there, some tweeters might be duped into thinking that it really is a Bitcoin giveaway offer from the famous businessman.

But if even that isn’t quite enough to dupe the unwary, there are also plenty of other compromised Twitter accounts (yes, also with verified “ticks’) prepared to chime in on the thread claiming that after giving Bitcoin to the fake “Elon Musk” they successfully received more in return, and retweeting the message to their own followers.

According to one exuberant hijacked verified account that was helping to promote the scam:

I also sent 0.80 BTC and got back 8 Bitcoins!

Deposit Completed! BTC 8.0000000,

I can not believe it!!!!!!!!

No, I can’t believe it either.

As Motherboard journalist Joseph Cox mentions, the hijacked Pathé UK account even retweeted genuine tweets from the real Elon Musk in an attempt to make its bogus guise appear more convincing.

Pathé UK appears to have regained control of its account and the offending message has been erased.

But, of course, that’s not going to stop scammers who can earn a handsome profit from exploiting Twitter users’ gullibility. Even as I was writing this article I received a report of another verified Twitter account (British high street retailer @matalan) which had begun spewing out a bogus crypto-giveaway.

And this time they hadn’t made the same spelling mistakes.

What should Twitter do about scams like this? Well, they need to recognise that whatever it is currently doing about hijacked verified accounts spreading scams and even buying ads to promote scams is clearly not working.

So they need to do something else.

One thought I have is that it should be harder to hijack a verified Twitter account, even if a hacker has managed to obtain the account’s password. Twitter already has a way to dramatically reduce the chances of a Twitter account being compromised - two-step verification via a third-party app like Google Authenticator. Twitter calls its implementation of 2SV“Login Verification”.

Twitter recommends that verified account holders enable Login Verification, but my guess is that many still don’t bother.

I think if Twitter wants to better protected its verified users, it should make Login Verification mandatory. And if a user turns off Login Verification, they should also lose their verified “tick”.

For further discussion of this, and other stories from the world of security and online privacy, be sure to check out the “Smashing Security” podcast:

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.